Wide area networks, such as the Internet, provide an ever-increasing community of users with a similarly increasing number of accessible network sites from which those users can gather information, applications, and entertainment. Such an open community also provides opportunity for malicious users and sites to spread malicious software (malware) such as viruses, Trojan horses, worms, and the like. In order to protect users from such malicious activity, anti-malware protection schemes have been devised to alert users to the presence of malware on their computers and to cleanse affected computers from malware.
Typical computer protection schemes react to the presence of malware on an affected computer. A common method of detecting malware relies on signatures extracted from the malware body. Different types of data extracted from a malware body can be used to generate signatures. Such data include, for example, strings (i.e., patterns with or without wild cards), checksums (e.g., CRC, MD5 and SHA1), behavior patterns, file geometry, execution flow geometry, and statistic distribution of code instructions. Any combination of the above list can be used to generate a malware signature, and the list is not exhaustive. More sophisticated polymorphic malware (e.g., malware that incorporates changing encryption algorithms and keys so that replications of the malware are not identical) require more sophisticated signature generation techniques, including cryptanalysis, dedicated decryption routines, emulation, and the like.
In order for security software executing on a computer to be able to detect a newly discovered instance of malware, the computer must be provided with a copy of the signature that has been established to identify the new instance of malware. As many as 7,000 to 10,000 new instances of malware are typically discovered on a daily basis. As an instance of malware propagates through a wide area network, a delay in providing a signature associated with that malware to computers on the wide area network will leave those computers open to attack. Therefore, it is desirable to rapidly distribute newly generated and certified signatures to a community of computers.
Typical anti-malware software downloads new signature definitions at periods of 1 to 8 hours from an update server. Full signature definition files that are retrieved by a typical system contain signature definitions for all currently found signatures or a differential between a currently installed full signature definition file on a client computer and a currently published full signature definition file on a server associated with the anti-malware software. The act of downloading these full definition files by a large number of client computers from one or more associated distribution servers can consume significant network bandwidth resources. Increasing a publication rate of full definition files, in order to improve anti-malware coverage, would lead to a potentially dramatic increase in network bandwidth consumption. It is therefore desirable to implement a system that not only provides updates to signature definitions at a rate on the order of minutes, rather than hours, but also is conservative of network bandwidth resources.